b'DEPARTMENT OF HOMELAND SECURITY\n\n   Office of Inspector General\n\n\n    Independent Auditor\'s Report on\n\n  FEMA\'s FY 2008 Mission Action Plans\n\n\x0c                                                              Office of Inspector General\n\n                                                              U.S. Department of Homeland Security\n                                                              Washington. DC 25028\n\n\n\n\n                                                               Homeland\n                                                               Security\n                                        July 9, 2008\n\n                                           Preface\n\n\nThe Department of Homeland Security (DHS) Office ofInspector General (DIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThe attached report presents the results of the Federal Emergency Management Agency\n(FEMA) fiscal year 2008 Mission Action Plans audit. We contracted with the\nindependent public accounting firm KPMG LLP (KPMG) to perform the audit. The\ncontract required that KPMG perform its audit according to generally accepted\ngovernment auditing standards. KPMG is responsible for the attached independent\nauditor\'s report and the conclusions expressed in it.\n\nThe recommendations herein have been discussed in draft with those responsible for\nimplementation. It is our hope that this report will result in more effective, efficient, and\neconomical operations. We express our appreciation to all of those who contributed to\nthe preparation of this report.\n\n\n\n\n                                       Richard L. Skinner\n\n                                       Inspector General\n\n\x0c                               KPMG LLP                                                                   Telephone 2025333000\n                               2001 M Street, NW                                                          Fax       202 533 8500\n                               Washington, DC 20036                                                       Internet  www.us.kpmg.com\n\n\n\n\nFebruary 22, 2008\n\nMs. Anne Richards\nAssistant Inspector General for Audit\nDepartment of Homeland Security, Office of the Inspector General\n\nMr. David Norquist\nChief Financial Officer\nDepartment of Homeland Security\n\nThis report presents the results of our work conducted to address the performance audit objectives relative\nto the Department of Homeland Security\'s (DHS or the Department) Mission Action Plans (MAPs)\ndeveloped to address the internal control deficiencies at the Federal Emergency Management Agency\n(FEMA). These deficiencies were identified by management and/or reported in the Independent\nAuditors\' Report included in the Departments fiscal year 2007 Annual Financial Report (herein referred\nto as the "FY 2007 Independent Auditors\' Report").\n\nThis performance audit is the fourth in a series of four performance audits that the Department\'s Office of\nInspector General ("OIG") engaged us to perform related to the Department\'s fiscal year 2008 MAPs for\nuse in developing the Department\'s Internal Control Over Financial Reporting ("ICOFR") Playbook.\nThis performance audit was designed to meet the objectives identified in the Objectives, Scope, and\nMethodology section of this report. Our procedures were performed using draft MAPs provided to us on\nJanuary 22, 2008. Interviews with DHS and FEMA management and other testwork, was perfonned at\nvarious times through Febmary 12,2008, and our results reported herein are as of February 22, 2008.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards (GAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings based on\nour audit objectives.\n\nThis performance audit did not constitute an audit of the financial statements in accordance with GAS.\nKPMG was not engaged to, and did not, render an opinion on the Department\'s or FEMA\'s internal\ncontrol over financial reporting or over financial management systems (for purposes of OMB\'s Circular\nNo. A-In, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that projecting\nthe results of our evaluation to future periods is subject to the risks that controls may become inadequate\nbecause of changes in conditions or because compliance with controls may deteriorate.\n\n\n\n\n                                   lC\'MG LLP, a U S Ilmltrr:d lla\'l>I,lly par!l)erShl), ,S 1\'1;J. u.s\n                                   :.v;;,nber firm oi KP!..IG Inlern<lIIQ\xc2\xb7\'1i!i as\', \'1$$ ce-op.;ra\'1H)\n\x0cTable of Contents\n\n EXECUTIVE SUMMARY                             2\n\n BACKGROUND                                    4\n\n.OBJECTIVE, SCOPE, AND METHODOLOGy             5\n\n FINDINGS AND RECOMMENDATIONS                  7\n\n MANAGEMENT RESPONSE TO REPORT            ;    9\n\n KEY DOCUMENTS AND DEFINITIONS                10\n\n\n\n\n\n                                     1\n\n\x0cEXECUTIVE SUMMARY\n\nThe Department has identified deficiencies in internal control over financial reporting through its annual\nassessment conducted pursuant to OMB (Office of Management and Budget) Circular No. A-123,\nManagement\'s Responsibility for Internal Control, and in compliance with the Federal Managers\'\nFinancial Integrity Act (FMFIA). Some of the deficiencies were identified as material weaknesses, by\nDRS\' external financial statement auditor. Beginning in 2006, the Department launched a comprehensive\ncorrective action plan to remediate known internal control deficiencies. The plan is documented in the\nInternal Controls Over Financial Reporting Playbook (ICOFR Playbook). The Mission Action Plan\n(MAP) is a key element of the ICOFR Playbook that documents the remediation actions planned for each\ninternal control deficiency at the DRS component level. The MAP provides specific actions, timeframes,\nkey milestones, assignment of responsibility, and the timing of corrective action validation.\nThe Federal Emergency Management Agency (FEMA) developed four MAPs to be includeq in the 2008\nICOFR Playbook. The MAPs are intended to address control deficiencies identified in Financial\nManagement, Entity Level Controls (ELC), Financial Reporting, Actuarial and Other Liabilities,\nBudgetary Accounting, and Capital Assets and Supplies.\nThe objective of this performance audit was to evaluate and report on the status of the four detailed MAPs\nprepared by FEMA to correct the internal control deficiencies over financial reporting described above.\nWe conducted our audit in accordance with the standards applicable to such audits contained in the\nGovernment Auditing Standards, issued by the Comptroller General of the United States. Our audit was\nperformed using specific criteria to assess the MAP development process used by FEMA, and to evaluate\nthe MAPs submitted by FEMA to the Department\'s Chief Financial Officer for inclusion in the 2008\nICOFR Playbook.\nThe evaluation criteria were developed from a variety of sources including technical guidance published\nby OMB, the Government Accountability Office, and from applicable laws and regulations. We also\nconsidered DRS\' policies and guidance, and input from the Office of Inspector General when designing\nevaluation criteria. Our evaluation criteria were:\n    1.\t Identification (of the root cause) - Identification of the appropriate underlying root cause that is\n        causing the internal control deficiency condition(s).\n    2.\t Development (of the MAP) - Clear action steps that address the root cause, and attainable and\n        measurable milestones at an appropriate level of detail.\n    3.\t Accountability (for execution of the MAP) - The individual MAP owner is responsible for its\n        successful implementation, ensuring that milestones are achieved and that the validation phase is\n        completed.\n    4.\t Verification and validation - The MAP includes written procedures to verify successful\n        implementation of the MAP, a means to track progress throughout the MAP lifecycle, and\n        reporting results when complete.\nIn summary, we noted that FEMA has prepared MAPs to address its known control deficiencies described\nabove. In addition, FEMA made certain modifications to the ICOFR Playbook, after their MAPs were\nsubmitted to the DRS CFO e.g., adding milestones, that were not reflected in the MAPs. We considered\nthose modifications in drafting our report, however due to the timirig of our review, we were unable to\nperform audit procedures on those modifications.\nWe noted areas where the MAPs could be improved. Specifically, we noted that the MAP Summary and\nDetailed Report documents (described in the Key Documents and Definitions section of this report) could\nbe improved. The root cause analysis is often only generally defmed and in some cases is a condition or\nsymptom of the problem, instead of describing the underlying issue. The milestone steps are not clearly\nlinked to root causes or financial statement assertions, and the MAPs do not contain the depth of analysis\nand independent consideration that is required by the Department\'s MAP Guide. The MAPs could be\n\n\n\n                                                     2\n\n\x0cimproved by expanding the milestones to include more detailed steps, including measurable action steps\nthat would remediate the root cause of the control deficiencies.\nCritical dependencies are not clearly identified within each MAP and affected milestones, for example\ninterdependencies between certain milestones, accounting processes, and other Federal agencies. In\naddition, the MAPs do not reflect FEMA\'s dependence on the Department for various policies and\nprocedures, and executive management support for organizational change needed to remediate FEMA\'s\nentity level control deficiency. In addition, the MAPs do not include detailed procedures to assess the\nfunctionality of current information technology (IT) system used in affected processes. FEMA\'s IT\nsystems influence their ability to maintain an accurate accounting after corrective actions are taken.\nThe milestones do not separately address the need for "catch-up" or financial statement true-up actions, to\nreconcile the backlog of old mission assignments, or to establish a beginning inventory of capital assets.\nIn addition, as written, the FEMA MAPs lack a complete plan for verification and validation of MAP\nresults that can be used to monitor and report results, and the MAPs are not clearly linked to the\nDepartment\'s OMB Circular A-123 initiatives currently underway.\nWe recommend that FEMA continue to perform an in-depth root cause analysis until management has\nfully determined Why, when, and how the control deficiencies occurred. FEMA should expand the MAPs\nto include more detail, measurable action steps, specific actions, assignments to individuals, link the\nmilestones to root causes and financial statement assertions, and update the time-line for completion.\nFEMA should prioritize the MAPs and milestone actions to focus on areas that may result in cross-cutting\nbenefits, and minimize duplication of effort where corrective actions overlap (Le., correction of IT system\nposting logic errors may resolve multiple issues, or mitigate the need for process changes).\nFEMA should identify and document its consideration of all significant interdependencies, with\noverlapping processes and other FEMA MAPs, other Departmental MAPs, and other actions that need to\nbe taken by other Federal agencies. FEMA should also include specific assessments of IT systems in the\nearly\xc2\xb7 stages of the MAP process, to ensure that FEMA\'s IT systems are able to support updated\nprocedures, corrected processes, and new internal control procedures.\nWe recommended that FEMA revise the MAPs to separate the financial statement balance reconciliation\nand corrective adjustment procedures from the process and control redesign aspect of the MAPs \xc2\xad\nseparating the historical and prospective elements of the MAP. Historical actions are generally one-time\nevents, while the prospective actions will likely require systemic, organizational, procedural, and process\nchanges, which may be more complex.\nWhen the MAPs are further developed, including the updates made in the ICOFR Playbook, develop a\nplan to verify and validate MAP results.\n\n\n\n\n                                                     3\n\n\x0cBACKGROUND\n\nThe Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA)\nrecognize that deficiencies in internal control over [mancial reporting exist. The internal control\ndeficiencies are reported by DHS management in its annual Secretary\'s Assurance Statement, issued\npursuant to OMB Circular A-123, Management\'s Responsibility Jor Internal Control. The Secretary\'s\nAssurance Statement, and the findings of the external auditor, is reported in the Department\'s fiscal year\n2007 Annual Financial Report (AFR). The conditions causing the internal control weaknesses are diverse\nand complex. Many conditions, which are systemic, were inherited with the legacy financial processes\nand IT systems in place at the time of the Department\'s formation in 2003. The evolution of the\nDepartment\'s mission, programs, component restructuring, and other infrastructure changes, has made\nremediation of these internal control weaknesses very challenging. To meet this challenge the\nDepartment\'s Secretary, Chief Financial Officer and Financial Management in the DHS components\nadopted a comprehensive strategy to implement corrective actions beginning in fiscal year (FY) 2007 and\ncontinuing in future years.\nThe Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office\n(ICPMO) is primarily responsible for the development and implementation of the Department\'s strategy\nto implement mission action plans. The ICPMO has documented their strategy and other related plans to\nremediate identified internal control deficiencies, in the Internal Controls Over Financial Reporting\nPlaybook (ICOFR Playbook).\nIn 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the\nDepartment enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial\nManagement Focus Areas Fiscal Year 2008 (MAP Guide). In accordance with the MAP Guide, the\nDepartment and the components developed Mission Action Plans (MAP), which describe the corrective\nactions to be implemented. The Department continued to utilize an Electronic Program Management\nOffice (ePMO), a Web-based software application, to manage the collection and reporting of MAP\ninformation.\nThe MAP guide is applicable to all Department components, including FEMA, and outlines the policies\nand procedures necessary to develop fiscal year 2008 Department MAPs. All components were required\nto submit MAPs, or MAP updates, for any new or existing internal control deficiencies over financial\nreporting, identified by management or the external auditors, for incorporation into the fiscal year 2008\nICOFR Playbook.\nTo comply with Management Directive 1030, and the MAP Guide, FEMA prepared four detailed MAPs\nfor fiscal year 2008, to address the internal control deficiencies over Financial Management and Entity\nLevel Controls; Financial Reporting; Capital Assets and Supplies; Actuarial and Other Liabilities; and\nBudgetary Accounting that contributed to Departmental material weaknesses in the FY 2007 Independent\nAuditors\' Report, which are summarized below:\n   \xe2\x80\xa2\t Financial Management and Entity Level Controls, and Financial Reporting - FEMA has not\n      established the financial management organizational structure with clear oversight and\n      supervisory review functions necessary to support the development and implementation of\n      effective policies, procedures, and internal controls over financial reporting. This structure is\n      needed to ensure that accounting principles are correctly applied and accrued financial data is\n      submitted to the OCFO for consolidation timely.\n   \xe2\x80\xa2\t Capital Assets and Supplies - FEMA maintains a stockpile inventory of seven life-saving\n      commodities for use in disaster relief efforts. FEMA did not fully adhere to policies and\n      procedures when performing its annual physical count of its stockpile inventory. Furthermore,\n      FEMA did not record the activity related to the stockpile inventory within its general ledger\n      throughout the year under the consumption method.\n\n\n\n                                                    4\n\x0c    \xe2\x80\xa2\t Actuarial and Other Liabilities - In FY 2007, the Office of Grants and Training (G&T)\'s\n       operations were transferred to FEMA as part of the Post Katrina Emergency Management Refonn\n       Act. of 2006. FEMA was unable to develop and apply a reliable estimation methodology to\n       accrue non-federal grants payable or advances related to the fonner G&T portfolio of grants in the\n       Department\'s financial statements. The development of the methodology would include the\n       validation of data inherited and the assumptions made.\n    \xe2\x80\xa2\t Budgetary Accounting - A "mission assignment" is the vehicle used by FEMA to support Federal\n       operations during a major disaster or emergency declaration covered under the Stafford Act.\n       FEMA has not adequately monitored the status of its mission assignment obligatious nor ensured\n       the timely deobligation of mission assignments. The control weaknesses surrounding these\n       mission assignments may allow a material misstatement of the related undelivered orders to go\n       undetected. During FY 2007 FEMA was unable to obtain timely documentary evidence,\n       including sufficient costlbilling data from other Federal agencies supporting the progress of active\n       mission assignments, and therefore was not able to deobligate or validate the continued carrying\n       of mission assignment undelivered orders timely.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\nThe objective of this performance audit was to evaluate and report on the status of detailed MAPs\nprepared by FEMA to correct internal control deficiencies over financial reporting. Our evaluation was\nperfonned using specific criteria, described in the methodology section below, to assess the process used\nto develop and document FEMA\'s fiscal year 2008 MAPs. We did not evaluate the outcome of the MAP\nprocess or any corrective actions taken by management during our audit, and our fmdings should not be\nused to project ultimate results from MAP implementation. Recommendations are provided to help\naddress findings identified during our performance audit.\n\nScope\nThe scope of this perfonnance audit includes FEMA\'s MAPs developed to address the Financial\nManagement and Entity Level Controls and Financial Reporting; Capital Assets and Supplies; Actuarial\nand Other Liabilities; and Budgetary Accounting internal control deficiencies at FEMA in the Secretary\'s\nAssurance Statement and in the FY 2007 Independent Auditors\' Report. The MAPs subjected to our\nevaluation were provided to us by the OCFO, on behalf ofFEMA, on January 22, 2008.\nCertain modifications were made to the ICOFR Playbook, after January 22, 2008, e.g., adding milestones,\nthat were not reflected in the MAPs. We considered those modifications in drafting our report, however\ndue to the timing of our review, we were unable to perform audit procedures on those modifications.\nThe scope of this perfonnance audit did not include procedures on any of the MAPs associated with other\ncontrol deficiencies existing at FEMA as reported in the FY 2007 Independent Auditors\' Report. Our\nperfonnance audit was perfonned between January 22, 2008 and February 12, 2008, and our results\nreported herein are as of February 22, 2008.\n\nMethodology\nWe conducted this perfonnance audit in accordance with the standards applicable to such audits contained\nin the Government Auditing Standards, issued by the Comptroller General of the United States. Our\nmethodology consisted of the following four-phased approach:\nProjectInitiation and Planning - We attended meetings with the Department\'s OIG, OCFO, and FEMA\nto review the performance audit objectives, scope, describe our approach, communicate data requests, and\nto gain an understanding of the status ofFEMA\'s 2008 MAPs.\n\n\n\n\n                                                    5\n\x0cData Gathering - We perfonned interviews with Accounting and Finance management and staff at\nFEMA and OCFO. Through these interviews, we gained an understanding of the process used to develop\nthe MAPs, including key inputs and data used, assumptions made, and reasons for conclusions reached.\nThe interviews focused on the analysis performed by FEMA to identify the underlying problems creating\nthe internal control weakness (root cause) and planned corrective actions, the critical milestones chosen\nfor measurement, and the methods. used to monitor and validate progress in meeting the milestones. We\ndiscussed FEMA\'s resource allocation strategy employed in the development and eventual\nimplementation of the MAP, including the utilization of contractors to supplement staff as needed and the\nuse of specialists, if necessary. We also conducted meetings with the Department\'s 010 to identify and\nagree to the criteria used to evaluate the status of the MAPs (as defined below).\nWe also performed reviews of key documents and supporting information provided to us by OCFO. Our\ndocumentation reviews included:\n    \xe2\x80\xa2\t The four FEMA MAPs (Le., the MAP Detail and Summary Reports) that were included within\n       our scope, and any underlying supporting documentation provided by the components.\n    \xe2\x80\xa2\t The Notices of Findings and Recommendations (NFRs) issued during the FY 2007 financial\n       statement audit by the external auditors that supported the internal control findings reported in the\n       FY 2007 Independent Auditors\' Report.\n    \xe2\x80\xa2\t Information provided by FEMA management regarding the allocation of resources related to all\n       MAPs, including the utilization of contractors.\n    \xe2\x80\xa2\t The Annual Component Head Assurance Statements provided pursuant to the requirements of\n       OMB Circular A-123.\n    \xe2\x80\xa2\t The ICOFR Playbook, MD 1030, the MAP Guide, and existing internal control monitoring\n       guidance (e.g., OMB Circular No. A-123).\nAnalysis Using Established Criteria - Our evaluation criteria were developed from a variety of sources\nincluding technical guidance published by OMB, e.g., Circular A-123, the GAO, e.g. Standards for\nInternal Control in the Federal Government, and applicable Federal laws and regulations, e.g., FMFIA.\nWe also considered DHS\' policies and guidance, e.g. the MAP Guide and the ICOFR Playbook, and input\nfrom the Office of Inspector General. Our evaluation criteria were:\n1.\t Identification (of the root cause) - Identification of the appropriate underlying root cause that is\n    causing the internal control deficiency. A comprehensive analysis typically includes a full assessment\n    of the business processes, data flows, and infonnation systems that drive the transactions/activities\n    associated with the accounting process where the internal control deficiencies are believed to exist. A\n    thorough root cause analysis should include:\n    a) Research to discover why, when, how the condition occurred - what went wrong and why?\n    b) Investigation to determine if the problem is procedural or human resources, or both.\n    c) An evaluation to determine if IT system functionality is contributing to the problem and if IT\n       system modifications could be part of the remediation.\n    d) An evaluation of internal controls, including the existence of compensating controls that may\n       mitigate the deficiency.\n2.\t Development (of the MAP) - The MAP includes action steps that address the root cause, and\n    attainable and measurable milestones at an appropriate level of granularity. Milestones should enable\n    independent analysis of a MAP\'s effectiveness in remediation of root causes and provide MAP users\n    with insight on the status of the MAP\'s implementation. For example, the MAP should enable a user\n    to determine if the appropriate level of resources to execute a milestone is available and to identify\n    potential gaps in milestones (e.g. a contractor may be needed before a specific milestone can be\n    achieved).\n\n\n\n\n                                                    6\n\n\x0c3.\t Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and\n    assigned. The individual MAP owner is responsible for its successful implementation, ensuring the\n    achievement of milestones and validation of results.\n4.\t Verification and Validation - The MAP includes written procedures that verify successful\n    implementation of the MAP, a means to track progress throughout the MAP lifecycle, and reporting\n    results when complete. These activities should include documentation reviews, work observations,\n    and performance testing, that is maintained for internal OMB A-123 review and external audit.\nResults - Findings and Recommendations - After conducting our analysis procedures described above\nand applying the evaluation criteria to the MAPs, we formulated our findings and recommendations. The\nfindings represent areas for potential improvement that could negatively affect FEMA\' s remediation of\nthe material weaknesses if the MAP is performed as designed.\n\nFINDINGS AND RECOMMENDATIONS\n\nFindings\nFEMA prepared and submitted MAPs to the OCFO as instructed in the MAP Guide. The MAPs address\neach of the four primary processes where control deficiencies existed at the end of FY 2007. FEMA\'s\ndocumentation of its root cause analysis was limited to the information provided on the MAP.\nConsequently, our review of FEMA\'s work supporting its MAP was limited to reading the MAP,\ncomparing the information to the DRS FY 2007 Independent Auditors\' Report, and inquiry with various\nFEMA personnel and management. Based on our inquiry with FEMA personnel, we determined that\nFEMA was knowledgeable of the MAP Guide, performed a limited review to determine the source and\ncause of control deficiencies, and incorporated the results into the individual MAPs in the form of\nmilestones.\nFEMA management exhibited an understanding of the issues and described some corrective actions that\nwere not always documented in the MAP. Further, in coordination with the OCFO, FEMA updated its\ncorrective action milestone schedule in the ICOFR Playbook in response to some of the findings\ndescribed below. We considered those modifications in drafting our report, however due to the timing of\nour review; we were unable to perform audit procedures on changes made to the ICOFR Playbook after\nJanuary 22, 2008.\nOur findings are:\n    \xe2\x80\xa2\t   The MAP Summary and Detailed Report documents that support the ICOFR Playbook could be\n         improved.\n            -   The root cause analysis is often only generally defined and in some cases is a condition or\n                symptom of the problem, instead of the describing the underlying issue, e.g., "Lack of\n                resources to perform approvals due to increased volume of activity resulting from recent\n                disasters" or "FEMA lacks formalized policies related to grant accrual methodology."\n                The root cause analysis documented in the MAPs does not always describe why, when,\n                and how the conditions occurred.\n                The milestone steps are not clearly linked to root causes. As a result, we could not\n                determine how the milestones related to the issues identified and root causes, or if the\n                milestones listed in the FEMA MAP sufficiently addressed all root causes and\n                corresponding control deficiencies.\n                The MAPs do not contain the depth of analysis and independent consideration that is\n                contemplated by the Departments MAP Guide. In addition, there appears to be a reliance\n                on the DRS FY 2007 Independent Auditors\' Report to identify conditions leading to\n\n\n\n\n                                                    7\n\x0c                 internal control deficiencies, in lieu of an independent analysis as suggested by the MAP\n                 Guide.\n                 Each of the MAPs lacks an appropriate degree of detail, including measurable action\n                 steps or milestones necessary to remediate the root cause of the control deficiencies. For\n                 example, the actuarial and other liabilities MAP contain the milestone "Develop grant\n                 accrual model." However, it is not clear how the model is going to be developed.\n                 The MAPs do not build out specific actions and a clear time-line with milestones\n                 including who will do the work, the actions to take, how results will be documented and\n                 verified, and when the account balances will be ready for audit. Milestone due dates are\n                 sometimes listed as "TBD."\n                 The financial statement assertion sections of the MAPs were not complete at the time of\n                 our audit, and consequently, the MAP milestones are not linked to the financial statement\n                 assertions (e.g., completeness, accuracy, and existence) affected by the control\n                 weaknesses.\n    \xe2\x80\xa2\t   Critical dependencies are not clearly identified within each MAP and affected milestones. Key\n         relationships may exist between:\n                 Certain milestones (e.g., computation of the grant accrual and access to reliable data);\n                 Accounting processes (e.g., entity level controls and accounting for mission\n                 assignments); and\n                 Third parties, e.g., other Federal agencies who receive mission assignments. For\n                 example, the Budgetary Accounting MAP did not include milestone to correspond with\n                 grantees to determine what information is available and how to improve communication\n                 (lack of communication was identified as a root cause issue).\n         In addition, FEMA is dependent on the Department for various policies and procedures, and\n         executive management support for organizational change needed to remediate FEMA\'s entity\n         level control deficiency. In addition, FEMA\'s IT systems affect their ability to maintain an\n         accurate accounting after corrective actions are taken. For example, the Capital Assets and\n         Supplies MAP does not include milestones for determining the sufficiency of the property\n         management system, and maintenance ofa reliable perpetual inventory.\n    \xe2\x80\xa2\t   The milestones do not separately address the need for "catch-up" activity to reconcile the backlog\n         of old mission assignments, or to establish a beginning inventory of capital assets. Mission\n         assignments and capital assets require substantial effort to correct the beginning balance for\n         financial statement purposes. Those MAPS should include specific steps to (l) correct balances\n         to be accurate and complete on a specified historical date, e.g., September 30, 2007, and (2)\n         maintain an accounting for those balances prospectively.\n    \xe2\x80\xa2\t   As written, the FEMA MAPs lack a complete plan for verification and validation of MAP results\n         that can be used to monitor and report results, and the MAPs are not clearly linked to the\n         Department\'s OMB Circular A-123 initiatives currently underway.\n\n\nRecommendations\nAs mentioned in the introductory paragraphs to the Findings section, management has indicated several of\nthe findings described above were addressed by FEMA after the date of our audit, resulting in updated\nmilestones in the ICOFR Playbook. Due to the timing of our audit, we were unable to complete\nprocedures to determine how the ICOFR Playbook changes might affect our recommendations below.\nWe recommend thatFEMA perform the following to address our fmdings.\n\n\n\n\n                                                      8\n\n\x0c1. Review each MAP and:\n        a.\t Continue to perform an in-depth root cause analysis until management has fully examined\n            why, when, and how the control deficiencies occurred. Expand the MAPs to include more\n            detail, measurable action steps, specific actions, assignments to individuals, link the\n            milestones to root causes and financial statement assertions, and a time-line for completion.\n            The MAP and milestone chart will likely require periodic updates as management proceeds\n            with its corrective actions;\n        b.\t Avoid reliance on the Independent Auditors\' report as a source for causes of control\n            deficiencies. A financial statement audit is not designed to identify all of the causes of a\n            control deficiency, and consequently, management should perform an independent\n            assessment, to be sure the MAP will fully and truly correct the issues identified;\n        c.\t Prioritize the MAPs and milestone actions to focus on areas that may result in cross-cutting\n            benefits, and minimize duplication of effort where corrective actions overlap (Le., correction\n            of IT system posting logic errors may resolve multiple issues, or mitigate the need for process\n            changes). Avoid devoting resources to milestones designed to address symptoms of\n            deficiencies, except when it is necessary to accurately and completely state financial\n            statement balances;\n2.\t Identify and document consideration of all significant dependencies, with overlapping processes,\n    other FEMA MAPs, other Departmental MAPs, and actions that need to be taken by other Federal\n    agencies. Perform process/sub-process analysis at a detailed activity or transaction level to identify\n    all control and process deficiencies. This analysis should include a walkthrough or "test drive" of the\n    activity/process flow with actual data or transactions. This will facilitateFEMA\'s ability to develop\n    crosscutting MAPs that include any potential interrelationships between processes or other MAPs..\n3.\t Include specific assessments of IT systems in the early stages of the MAP process to ensure that\n    FEMA\'s IT systems are able to support updated procedures, corrected processes and new internal\n    control procedures.\n4.\t Revise the MAPs to separate the financial statement balance reconciliation and corrective adjustment\n    procedures from the process and control redesign aspect of the MAPs - separating the historical and\n    prospective elements of the MAP. Historical actions are generally one-time events, while the\n    prospective actions will likely require systemic, organizational, procedural, and process changes,\n    which may be more complex.\n5.\t When the MAPs are further developed, including the updates made in the ICOFR Playbook, develop\n    a plan for verification and validation of MAP results that can be used to monitor and report results. In\n    addition, we recommend that FEMA link the MAPs to the Departments OMB Circular A-123\n    initiatives currently underway.\n\nMANAGEMENT RESPONSE TO REPORT\n\nManagement has prepared an official response presented as a separate attachment to this report.\nIn summary, management agreed with our findings and its comments were responsive to our\nrecommendations. We did not audit management\'s response and, accordingly, we express no\nopinion on it.\n\n\n\n\n                                                     9\n\n\x0cKEY DOCUMENTS AND DEFINITIONS\n\nThis section provides key definitions and documents for the purposes of this report.\n\nThe Federal Managers\' Financial Integrity Act (FMFIA) requires that Executive Branch Federal agencies\nestablish and maintain an effective internal control environment according to the standards prescribed by\nthe Comptroller General and specified in the Government Accountability Office\'s (GAO) Standards for\nInternal Control in the Federal Government. In addition, it requires that the heads of agencies to\nannually evaluate and report on the effectiveness of the internal control and financial management\nsystems.\n\nGAO\'s Standards for Internal Control in the Federal Government (Standards) defines internal control as\nan integral component of an organization\'s management that provides reasonable assurance of:\neffectiveness and efficiency of operations, reliability of financial reporting, and compliance with\napplicable laws and regulations.\n\nThe Department of Homeland Security Financial Accountability Act (the DRS FAA) designates the\nDepartnient\'s Chief Financial Officer (CFO), under the authority of the Secretary, as the party responsible\nfor the design and implementation of Department-wide internal controls. Furthermore, the DRS FAA\nrequires that a management\'s assertion and an audit opinion of the internal controls over [mancial.\nreporting be included in the Department\'s annual Performance and Accountability Report.\n\nOffice of Management and Budget (OMB) Circular No. A-123, Management\'s Responsibility for\nInternal Control, provides guidance on internal controls and requires agencies and Federal managers to\n1) develop and implement management controls; 2) assess the adequacy of management controls; 3)\nidentify needed improvements; 4) take corresponding corrective action; and 5) report annually on\nmanagement controls. The successful implementation of these requirements facilitates compliance with\nboth FMFIA and the DRS FAA.\n\nOffice of Management and Budget (OMB) Circular No. A-127, Financial Management Systems,\nprescribes policies and standards for executive departments and agencies to follow in developing,\noperating, evaluating, and reporting on [mancial management systems. The successful implementation\nof these requirements facilitates compliance with both FMFIA and the DRS FAA.\n\nInternal Control Deficiencies - A control deficiency exists when the design or operation of a control\ndoes not allow management or employees, in the normal course of performing their assigned functions,\nto prevent or detect misstatements on a timely basis. A signifIcant deficiency is a control deficiency, or\ncombination of control deficiencies, that adversely affects DRS\' ability to initiate, authorize, record,\nprocess, or report [mancial data reliably in accordance with U.S. generally accepted accounting\nprinciples such that there is more than a remote likelihood that a misstatement of DRS\' financial\nstatements that is more than inconsequential will not be prevented or detected by DRS\' internal control\nover financial reporting. A material weakness is a significant deficiency, or combination of significant\ndeficiencies, that results in more than a remote likelihood that a material misstatement of the financial\nstatements will not be prevented or detected by DRS\' internal control.\n\nManagement Directive (MD) 1030, Corrective Action Plans, establishes the "Department\'s vision and\ndirection on the roles and responsibilities for developing, maintaining, reporting, and monitoring MAPs\nspecific to the DHS Financial Accountability Act, FMFIA, and related OMB guidance." In addition to the\nroles and responsibilities, MD 1030 outlines the policies and procedures related to the MAP process. The\n\n\n\n\n                                                    10\n\n\x0c    organizational structure detailed m MD 1030 encompasses employees at both the component and\n    department levels.\n\n    The Internal Controls Over Financial Reporting (ICOFR) Playbook (lCOFR Playbook) was developed\n    by the OCFO, Internal Control Program Management Office, to assist the Department in meeting the\n    financial accountability requirements outlined in *e DRS FAA. The ICOFR Playbook outlines the\n    Department\'s "strategy and process to resolve material weaknesses and build management assurances."\n    On an annual basis, the ICOFR Playbook is updated by the OCFO to enhance its exiting guidance, as\n    necessary, and establish milestones, which will be monitored by the OCFO throughout the year. A\n    component of the ICOFR Playbook is MAPs developed by the Department and its components to correct\n    internal control deficiencies.\n\n    The Mission Action Plan Guide. Financial Management Focus Areas Fiscal Year 2008 (MAP Guide)\n    outlines the policies and procedures to be used to develop MAPs throughout DRS, pursuant to the roles\n    and responsibilities established by the DRS Management Directive (MD) 1030, Corrective Action Plans.\n    The MAP Guide applies to all Department Components and Offices (e.g., OFM) where a control\n    deficiency has been identified. Note non-conformances related to the Federal Information Security\n    Management Act (FISMA), are under the purview of the Department\'s Chief Information Security\n.   Officer\'s Plan ofAction and Milestones (POA&M) Process Guide.\n\n    Electronic Program Management Office (ePMO) is a Web-based software application the OCFO\n    deployed to manage the collection and reporting of MAP information.\n\n    Mission Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the\n    remediation of internal control deficiencies identified by management or by external parties. MAP\n    documentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP\n    Detailed Report that are required to be submitted to the OCFO through ePMO. Below are brief\n    descriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick\n    Guide contained in the MAP Guide:\n\n       \xe2\x80\xa2\t The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency\n          conditions), results of the root cause analysis performed, relevant financial statement assertions\n          affected by the issue, key strategies and performance measures, resources required, an analysis of\n          the risks and impediments as seen by management, verification and validation methods, and the\n          critical milestones to be achieved.\n       \xe2\x80\xa2\t The MAP Detailed Report provides additional data on the milestones, not only on those identified\n          as critical but also those sub-milestones under a critical milestone. For each milestone (critical or\n          sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started,\n          Work in Progress and Completed), and the responsible and assigned parties.\n\n    The Department\'s Annual Financial Report (DRS AFR) was issued on November 15,2007 and consists\n    of the Secretary\'s Message, Management\'s Discussion and Analysis, Financial Statements and Notes, an\n    Independent Auditors\' Report, Major Management Challenges, and other required information. The AFR\n    was prepared pursuant to OMB Circular No. A-136, Financial Reporting Requirements.\n\n\n\n\n                                                       11\n\n\x0c                                                                 U.S. fJepartment of Homeland Security\n                                                                 500 C Street, SW\n                                                                 Washington, DC 20472\n\n\n\n\n                JUN   6 7C03\n\n\n\n\nMEMORANDUM FOR:\n\nFROM:\n\nSUBJECT:\t                      Draft Report: Independent Auditor\'s Report on FEMA\'s\n                               FY 2008 Mission Action Plans\n\nThank you for the opportunity to comment on the Draft Report: Independent Auditor\'s\nReport on FEMA\'s FY 2008 Mission Action Plans. We concur with the report\'s\nrecommendations and will ensure corrective actions are implemented to respond to the\nreport\'s findings. For example, we have added additional detailed milestones that will\nmeasure progress with material weaknesses in Actuarial and Other Liabilities, Budgetary\nAccounting and Capital Assets and Supplies.\n\n\n\n\n                                                                 www.fema.gov\n\x0cReport Distribution\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nUnder Secretary for Management\nAssistant Secretary for Policy\nAssistant Secretary for Public Affairs\nAssistant Secretary for Legislative Affairs\nChief Financial Officer\nChief Information Officer\nChief Privacy Officer\nDHS GAO/OIG Audit Liaison\nFEMA Administrator\nFEMA Acting CFO\nFEMA Audit Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriation Committees,as appropriate\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector GenerallMAIL STOP 2600, Attention:\n           Office of Investigations\xc2\xb7 Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'